enterprise risk management, steven sumners

Enterprise Risk Management

P w C

ERM Steven SumnerSteven SumnerDirector, PricewaterhouseCoopers

P w C

Does ERM matter?Does ERM matter?

“Ri k t dd l t l t i di id l i“Risk management adds value not only to individual companies, but also supports overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities ”capital and reducing the uncertainty of commercial activities.

James LamJames Lam“Enterprise Risk Management – From Incentives to Controls”

PricewaterhouseCoopersFiscal Year 2009

Slide 3

I

Risk management: lessons learnedRisk management: lessons learned

“Given the central role of effective, firmwide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their risk-management practices…We are also considering the need for additional or revised supervisory guidance regarding various aspects of risk

t i l di f th h i th d f t i idmanagement, including further emphasis on the need for an enterprise-wide perspective when assessing risk.

Ben BernankeSpeech given May 2008: “Risk Management in Financial Institutions”Speech given May 2008: Risk Management in Financial Institutions

“These institutions…, comforted in the belief that the rating agencies had carefully examined and modeled the risks in arriving at their rating of these securitiesexamined and modeled the risks in arriving at their rating of these securities, apparently saw little need to conduct their own due diligence, risk management, modeling and valuation processes.”

Bob Herz FASBBob Herz, FASBSpeech given September 2008: “Lessons Learned, Relearned,

and Relearned Again from the Credit Crisis – Accounting and Beyond”


Slide 4

I

“ Many risks are preventable”


Slide 5

I

AgendaAgenda

R t l l d• Recent lessons learned • PwC survey highlights

ERM• ERM governance• Role of the CRO• Board reporting• ERM Survey Results• Closing the gaps

Section agendaSection agenda

R t l l dRecent lessons learned

Risk management: lessons learnedRisk management: lessons learned

SSG Report: “Observations on Risk Management Practices p gduring Recent Market Turbulence”• Senior management oversight• Risk identification and measurement• Valuation practicesp• Liquidity risk management


Slide 8

I

Senior Supervisory Group (“SSG”) Financial Services Organizations – Risk Management Practices

• Portfolio view of exposures and risks

g gSuccessful Companies Unsuccessful Companies

• Concentration of exposures/aggregationand risks

• Balance between risk appetite & controls

exposures/aggregation

• Pricing of liquidity and contingent liquidity

• Scenario modeling capabilities and risk quantification

• Certain risk management practices

• Controls over risk management • Sharing of qualitative and

quantitative information

• Enforcement of controls

gand valuation practices

• Liquidity risk management Enforcement of controls

• Wide range of risk measures and tools for credit and market risk

• Lack of a forward looking view of risk

• Standards for what constitutes market risk

• Timely reporting of risk to board and sr. mgmt

risk transfer

• Sr. mgmt’s role in understanding and acting on


Slide 9

I

understanding and acting on emerging risks


P C ltPwC survey results

PwC survey results

PwC’s Global ERM Survey 2008PwC s Global ERM Survey 2008

S ti i ti S t tSurvey participation:

• Over 100 pages of detailed ti

Survey output:

• Published report – June 2008questions

• 53 Global Life and P&C • Customized self-assessment

reports for each participantInsurers and Reinsurers (44 in 2004)

• Detailed individual survey questions & responses

• 20 US Insurers (9 in 2004)

• 9 Bermuda Insurers

benchmarked against all participants, peers and similar organizationsorganizations


Slide 11

I

PwC’s Insurance ERM Global Survey - 2008 … www.pwc.com

PwC survey results

PwC s Insurance ERM Global Survey 2008 … www.pwc.com


Slide 12

I

Key themes: how far have insurers come?

PwC survey results

Key themes: how far have insurers come?

• Embedding of ERMg

• ERM governance

Risk data and modeling• Risk data and modeling

• Aligning risk and finance

• Risk assessment


Slide 13

I

PwC’s Global ERM Survey 2008

PwC survey results

ERM progress since 2004Strong Progress Some Progress Limited Progress

PwC s Global ERM Survey 2008

• Firm-wide understanding of ERM

• Setting of overall risk appetite

Strong Progress Some Progress Limited Progress

• Data quality and data availability

• Linkage of risk appetite with objectives

• Linkage between risk d l d t t i

• Modeling capabilities• CRO role• Board & Management

• ERM roles, responsibilities & accountabilities

models and strategic planning

• Consistent & well d t d li i &

gpriorities/oversight

• Trend toward Board level ERM committee structure

• Business Unit alignment with risk appetite & toleranceRi k di lunderstood policies &

procedures• Timely reporting of risk to

Board & Sr management

• Portfolio view of risk • Risk disclosures • Risk data or systems

strategies Li i i iBoard & Sr. management

• Risk mitigation & learning• Risk technology

• Limits monitoring, enforcement & exception approval


Slide 14

I


ERMERM governance

ERM governance

Current credit crisis is another eye-opener to policymakers,

• Highlights the importance and necessity for the role of

Current credit crisis is another eye opener to policymakers, regulators, rating agencies, boards and management.

• Highlights the importance and necessity for the role of effective ERM governance, involving the board and senior management: g- Effective governance structures are required and in place to

enable:- Monitoring- Multiple levelsp- Elements of an ERM Framework


Slide 16

I

Effective governance structures and organizational design can help ERM governance

meet stakeholder expectations in a more effective and efficient manner

Setting and monitoring objectives, tone, policies,risk appetite, accountability and performance.

Governance

Identifying and assessing risks that may affect the ability to achieve objectives and determining risk response strategies and control activities.

Risk Management

Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies and procedures, and stakeholder commitments.

Compliance

Extended Enterprise & Value Chain


Slide 17

I

When evaluating governance structures and processes, consider

ERM governance

When evaluating governance structures and processes, consider the expectations of various stakeholders…

• RegulatorsRegulators- NAIC, SEC

• New York Stock Exchange Listing Standards- Audit committee risk oversight- Internal audit department

• Institutional ShareholdersInstitutional Shareholders

• Rating Agencies- S&P, AM Best, Moody’s, Fitch

• People


Slide 18

I

People

…As well as emerging frameworks enabling effective ERMERM governance

Environment

StrategyProcess

Infrastructure

Validation/re-assessment

Business mission and strategy Risk strategy Value proposition Risk appetite

re assessment

ReportingMeasurement and ControlOperationsRisk assessment/

ResponseRisk awareness/

Identification

Organisation Limits and MethodologiesOrganisation and people

Limits and controls

Methodologies & Models Systems Data Policies Reporting

Culture Training Communication Performance RewardCulture Training Communication measures Reward


Slide 19

I

Effective governance and organization are critical to embedding ERM ERM governance

into the business

• Business objectives• Integrated and scalable• Risk appetite and tolerance• Portfolio view of risk

Internal environment• Portfolio view of risk• Role clarity• Common risk and control languageRisk assessment

Event identification

Objective setting

ss U

nit

sidi

ary

g g• Process, risk, control libraries• Risk and Control Self

A t (RCSA)Control activities

Risk response

Risk assessmentnt

ity-le

vel

Div

isio

nB

usin

esS

ub

Assessment (RCSA)• Risk adjusted performance

managementMonitoring

Information and communication En

g• Economic capital• Benchmarking


Slide 20

I• KRIs and reporting

Organizational effectiveness is grounded in risk-adjusted performance t

ERM governance

management

Key ElementsPerformance Management F k • Leadership, organizational

Alignment and accountabilities• Defined performance goals

Framework

• Defined performance goals and risk tolerance

• Assign• Operate

C t l

• Strategize• Define

D l • Work processes and controls• Monitoring of key risk

indicators• Re-evaluate • Monitor & Review

• Control• Report

• Develop• Deploy

indicators • Management information • Rewards and incentives

• Examine• Innovate• Act

• Analyze• Plan & Prioritize• Change


Slide 21

I


R l f th CRORole of the CRO

Even good CROs occasionally miss a Key Risk Indicator

Role of CRO

Even good CROs occasionally miss a Key Risk Indicator


Slide 23

I

Increased significance of the CRORole of the CRO

g

The CRO is a position that has grown in both significance and p g gstature in most organizations. • Yet current credit crisis has many investors and other external

stakeholders asking “where was the oversight?” • CROs help to:

- Bring business and risk management together- Enable a portfolio view of risk- Link planning, performance management, risk and capital

management


Slide 24

I

Why is a CRO neededRole of the CRO

Key reasons for a CRO• CROs are enablers and facilitators that bring the organization together• Need for executive thinking and authority and the ability to balance roles of

oversight and challenge. • Provide a portfolio view of risk while understanding the business and be• Provide a portfolio view of risk while understanding the business and be

able to communicate effectively with all arms of the organization. . • Encourages and rewards scrutiny and challenge, even if it appears to go

against the strategic change. • The CRO is a key responsible partner in all areas of risk and risk

managementmanagement• The CRO should serve as the catalyst for enterprise risk & return

opportunities – Particularly emerging risk • The CRO must develop effective enterprise risk communication with

consistent measurement criteria for the both the BOD and senior management


Slide 25

I

g

Attributes of a good CRO

Role of the CRO

g

• Holistic understanding of the firm’s strategies and core competencies• Must be able to add clarity around the setting of risk tolerance, appetite and y g , pp

risk limits• Maintains an appropriate level of broad-based technical capabilities

(actuarial finance economics underwriting capital markets etc ) and(actuarial, finance, economics, underwriting, capital markets, etc.) and market knowledge

• Owns economic capital development and provides a level of independence over the risk management process including how and when capital should be deployed to the business units

• Able to provide clear and accountable focus for the management of riskAble to provide clear and accountable focus for the management of risk • Provides a monitoring and validation role that spans across the enterprise

and is not limited to traditional internal controls • Must maintain a direct reporting line (or at least direct access) to the CEO

and access to the BOD


Slide 26

I

Attributes of a good CRO (cont’d)

Role of the CRO

g ( )

• Must maintain a direct reporting line (or at least direct access) to the CEO and access to the BODand access to the BOD

• Effective at communicating and interacting with the Board/senior management and external stakeholders including the ability to explain risk issues in practical understandable business terminology and language rather than technical concepts

• Ability to provide coaching and advising the business in how to monitor andAbility to provide coaching and advising the business in how to monitor and manage risk within a standardized-wide approach

• Ability to stretch the imagination on what could be possible in dealing with b t t t d th t l ith littlabstract concepts and the courage to explore new areas with little or no

direction or precedence.


Slide 27

I

“ We all know what can happen to the CRO”


Slide 28

I

Section TwoSection Two

ERM O iERM Overview

ERM Overview – Organization and peopleERM Overview Organization and peopleOrganisation and people

Limits and controls


• Centralized risk management function• Independent CRO or senior executive with risk roleIndependent CRO or senior executive with risk role• Oversight committees at the Board / senior management levels• Risk awareness culture and valuesRisk awareness, culture and values• Risk training• Talent management• Talent management• Linkages between risk and compensation


Slide 30

I

Overall Responsibility for Corporate Risk ManagementOverall Responsibility for Corporate Risk Management


Slide 31

I

Industry’s Ability to Attract TalentIndustry s Ability to Attract Talent


Slide 32

I

Interaction Between Business and Risk ManagementInteraction Between Business and Risk Management


Slide 33

I

ERM Overview – Limits and ControlsERM Overview Limits and ControlsOrganisation and people

Limits and controls


• Define overall and individual risk appetite• Risk assessments & inventoriesRisk assessments & inventories• Individual risk, product, exposure limits and triggers• Risk controlsRisk controls• Risk escalation


Slide 34

I

Defining Risk Appetite and LimitsDefining Risk Appetite and Limits

InsurerOverall Risk Appetite

BU 1 BU 2 BU 3 BU 1Appetite

BU 2Appetite

BU 3Appetite

Prod. 1 Prod. 2 Prod. 3 Prod. 4 Prod. 5

Risk Appetite by Product

Product Limits


Slide 35

I

Risk Appetite

• Turns the story into some numbers

Risk Appetite

• To effectively drive risk management need to specify both:- Severity- Probability

• ERM programs may have multiple defined risk appetites- Capital (Ruin focus)- Earnings (Volatility focus)- Rating (May be driver of probability choice)


Slide 36

I

36.Permission to reprint or distribute any content from this presentation requires the prior written approval of Standard & Poor’s.

Risk Limits

• Hard Limits or Soft Limits?

Risk Limits

- Are they really limits if nothing happens when they are exceeded?

R l ti Ab l t Li it• Relative or Absolute Limits- Is business growth impacted by limit systems?Add O ll Ri k A i l ll l ?• Add up to Overall Risk Appetite or larger or smaller value?- Take into account diversification?- Provide for tactical opportunities

• Allocation process• Enforcement


Slide 37

I

37.

Other Risk Terms

Risk Tolerance – The upper bound of Bad Events that the t t id

Other Risk Terms….

company wants to avoid, e.g.:• Loss of capital

E i h tf ll• Earnings shortfall• Damage to reputation

D t bilit t ll b i i k k t• Damage to ability to sell business in key markets• Loss of rating


Slide 38

I

38.

Other Risk Terms (cont’d)

Risk Preferences

Other Risk Terms (cont d)….

• Uncertainty • Complexity• Location• Risk transfer• Time frame• Concentrations • Frequency/Severity threshold minimum• Class• Experience/Expertise


Slide 39

I

39.

Process in Place to Define Risk AppetiteProcess in Place to Define Risk Appetite


Slide 40

I

Process in Place to Deal with Breaches of LimitsProcess in Place to Deal with Breaches of Limits


Slide 41

I

ERM Overview – Methodologies & ModelsERM Overview Methodologies & ModelsOrganisation and people

Limits and controls


• Insurance, market, credit risk management

• Operational risk managementp g

• Economic capital models & capital allocation

• Risk analytics, including scenario analysis, risk indicators, risk-adjusted y , g y , , jreturns

• Risk transfer strategies

• Linkage of planning and risk strategy

• Linkages to product pricing

• Performance management

• Capital management


Slide 42

I

Economic capital modelsEconomic capital models

Key areas where survey

Assets available

“Excess” Capital

y yrespondents identified benefits of implementing an economic capital model:

Economic Capitalfor required capital• Better allocation of capital

than under a regulatory capital model

LiabilitiesAssets covering

liabilities

model• Definition of risk appetite• Freeing up of capital for use in

the business Liabilitiesliabilitiesthe business• Changes in the pricing of

products to better reflect riskCh i t t i di ti• Changes in strategic direction after assessing risk-adjusted performance


Slide 43

I

C i Ri kCapturing Risk


Slide 44

I

Guide Timing for Model DevelopmentGuide Timing for Model Development


Slide 45

I

Model and Control Environment


Slide 46

I

Operational Risk

Traditional Operational Risk Management - Separate Silo Ri k M t f

Operational Risk

Risk Management for:• IT Risks

HR Ri k• HR Risks• Regulatory & Compliance Risks

F d Ri k• Fraud Risk• Internal Controls• Reputation Risk• Business Continuity• Distribution Risks• Outsourcing/Vendor Risk


Slide 47

I

47.

Operational Risk Management

Enterprise ORM – leading to Strong ORM assessment by S&P usually i t d ith

Operational Risk Management

associated with:• Comprehensive assessment of risks & control capabilities• Identification of risks not adequately controlled by existing programsIdentification of risks not adequately controlled by existing programs• Prioritization• Development of key kisk indicators, Tracking process & problem

resolution system

Excellent ORM assessment usually associated with Strong programExcellent ORM assessment usually associated with Strong program • In place for several years• Repeated applicationp pp• Refinements of controls & KRI & response programs


Slide 48

I

48.

Operational RiskOperational Risk

Survey Results: Key Trends• <10% recognize operational risk management as a

competitive advantage • Integration of Operational risk into the broader ERM policies

and assessments and monitoring are at a limited stage- < 1/3 have formalized monitoring and reporting processes

to support ERM functions15% bl t bt i O ti l i k t d t- <15% capable to obtain Operational risk management data

- low level of comfort on data integrity


Slide 49

I

Length of Time Corporate Operational Risk ManagementLength of Time Corporate Operational Risk Management Function in Place


Slide 50

I

S ti f ti With O ti l Ri k M tSatisfaction With Operational Risk Management


Slide 51

I

Use of Operational Risk ManagementUse of Operational Risk Management


Slide 52

I

ERM Overview - SystemsERM Overview SystemsOrganisation and people

Limits and controls


• ERM supporting technology

• System interface mapping tools middleware• System interface, mapping tools, middleware

• Risk registers

• Risk reporting tools


Slide 53

I

Systems Strategy RatingSystems Strategy Rating


Slide 54

I

P i it IT C bilitiPriority IT Capabilities


Slide 55

I

Integration of Risks and Controls Across the OrganizationIntegration of Risks and Controls Across the OrganizationThrough Technology


Slide 56

I

ERM Overview – DataERM Overview DataOrganisation and people

Limits and controls


• Data quality assessments

• Risk and portfolio data requirements data definitions data• Risk and portfolio data requirements – data definitions, data cleansing, data access

• Data warehouses• Data warehouses

• Industry data and benchmarking


Slide 57

I

Level of Confidence in the Quality of Data Supplying SpecificLevel of Confidence in the Quality of Data Supplying Specific Areas


Slide 58

I

Data Management ProblemsData Management Problems


Slide 59

I

D t St t R tiData Strategy Rating


Slide 60

I

R ti D t M t E ditRating Data Management Expenditures


Slide 61

I

ERM Overview – PoliciesERM Overview PoliciesOrganisation and people

Limits and controls


• Market, credit, insurance, operational risk policies and procedures, including:p , g

• Risk rating policies;• Exposure measurement policies;

Ri k li it li i• Risk limit policies;• Monitoring and review policies;• Risk transfer policies;• Risk transfer policies;• Management and board reporting policies.

• Overall risk policiesp


Slide 62

I

ERM Overview – ReportingERM Overview ReportingOrganisation and people

Limits and controls


• Key risk indicators that quantify major trends and risk exposures

• Limit exception reporting• Risk dashboards• Board reporting, including enterprise view on aggregate losses,

risk incidents, policy exceptions, key exposures, KRIs• ERM disclosures• Finance effectiveness – exploiting synergies betweenFinance effectiveness exploiting synergies between

requirements for financial reporting, ERM, Solvency II, and IFRS


Slide 63

I

ERM O i A Ill t ti F k

ERM

Environment

ERM Overview – An Illustrative Framework

StrategyProcess

Infrastructure

Validation/re-assessment

Business mission and strategy Risk strategy Value proposition Risk appetite

re assessment

ReportingMeasurement and ControlOperationsRisk assessment/

ResponseRisk awareness/

Identification

Organisation Limits and MethodologiesOrganisation and people

Limits and controls


Culture Training Communication Performance RewardCulture Training Communication measures Reward


Slide 64

I


Cl i thClosing the gaps

Current ERM practices vs. targeted practices

Closing the gaps

Current ERM practices vs. targeted practices

ERM practice Current Targetedp g

Risk culture

• Program structured solely to respond to demands of external stakeholders

• Silo-based risk management

• Tone at the top• Management encouraged to act• ERM training and talent managementSilo based risk management ERM training and talent management• Risk-adjusted incentives

Risk assessment

• Lack of internal challenge• Acceptance of dated views

• Frequent, open dialogue• Exchange of risk information• Encourage internal challengeEncourage internal challenge

Risk measurement• Blind reliance upon unchallenged or

third party models• Models and tools that are “fit for

purpose”• Frequent validationq

Risk aggregation• Reliance upon judgment alone • ERM enabled systems, data

• Active assessment of aggregation and correlation

Alignment of risk and strategy

• Reactive risk management • Set and communicate enterprise-wide risk appetite

• Capital allocationEstablish targets and limits


Slide 66

I

gy• Establish targets and limits• Monitor limit breaches

PwC’s ERM Service Offerings

Insurance risk managementInsurance risk management has always been about risk.

When it comes to ERM, nothing should get in the way of opportunities


Slide 67

I

QuestionsQuestions


Slide 68

I

enterprise risk management, steven sumners

Documents

firmwide risk management

riskmanagement practiceswe

irisk management

market risk lack

view of risk standards

lessons learnedrisk

various aspects of risk

iagendaagendar t